French Data Protection Agency Judgment Against Google LLC

Willis Towers Watson Assessment and FAQs

The French supervisory authority recently gave Google a penalty of €50 million, alleging that the company had violated certain provisions in the EU General Data Protection Regulation (GDPR).

This action arose from consumer complaints to the Commission Nationale de l’informatique et des libertés (CNIL), the body responsible for data protection in France. While the CNIL did not agree with the full scope of the consumer complaints, they did find sufficient common ground to proceed with the action.

We have provided our initial assessment of this news, below, along with our answers to some commonly asked questions. We expect more to follow as we learn more about Google’s appeal, the rationale for the French decision, and what implications this may have for cyberinsurance, French law, and other potential penalties under the GDPR.

Summary

This is a landmark decision by the CNIL regarding alleged violations of the GDPR and consequential penalties assessed against Google LLC

Google LLC is appealing this decision

The fine of €50 million is about 1% of what could theoretically have been assessed under GDPR, based on Google’s 2017 revenue of $107 billion USD

French legal opinion suggests that this penalty may be uninsurable, but there is uncertainty on this point

If French law treats it as uninsurable, then a few of the leading US carriers could cover this, relying on their favorable jurisdiction provisions

If French law treats it as insurable, then we believe most (but not all) of the leading US carriers could cover this penalty

Defense for regulatory action is commonly provided by cyber policies and would not be excluded, even if the penalty were excluded on the grounds of insurability

Regulatory coverage can also be complicated by the linkage of an actual breach (there was no such breach for Google in this case) to a regulatory matter. Leading policies are generally favorable on this point, but it is not universal.

As with all matters of coverage, review of an actual policy, not a general form, is the best approach in determining likely coverage for scenarios such as this.

Frequently Asked Questions

Which EU authority made this decision?

The French supervisory authority, the CNIL (Commission Nationale de l’informatique et des libertés)

Why France instead of Ireland?

Although Google declared Ireland to be their Lead Supervisory Authority, the CNIL rejected this declaration because they asserted that Google does not have a distribution of data privacy directions and policies emanating from the Irish legal entity, which is a requirement to declare a country your Lead Supervisory Authority. The consumer complaints were addressed by the CNIL as they determined that they had authority on this matter. See the CNIL’s rationale on this question.

A violation of the obligation to have a legal basis for ad personalization

What Google entities are referenced in this decision by CNIL?

The penalty was imposed against Google LLC, a wholly owned Delaware subsidiary of Alphabet, Inc. Google LLC is based in Mountain View, CA. Google France SARL (the sole subsidiary of Google in France) received the decision for execution purposes.

What was the penalty amount?

A penalty of €50 million / $57 million was imposed. (We have used .87 for conversion USD to EUR, or 1.15 EUR to USD).

What was the maximum penalty CNIL could have awarded under GDPR?

This would be €3.64 billion / $4.28 billion. Google LLC annual revenue for 2017 was $107 billion USD. As Google LLC is the entity in question, then the maximum penalty under GDPR could have been 4% of $107 billion, or about $4.28 billion /€3.64 billion.

Why was the penalty so much less than the maximum?

The CNIL did not provide a specific financial rationale for how they arrived at their penalty. Although they cited a number of factors in their decision which provide some context.

This is a hotly debated subject with little certainty at this time. Our understanding is that under French law, data protection fines are classified as administrative fines. Whilst there is no express prohibition against the insurance of administrative fines, the prevailing legal opinion in France (including that expressed by the courts) is that such fines are punitive in nature and are therefore not insurable (on public policy grounds).

Presuming cyber coverage is available for Google LLC, what other jurisdictions might Google consider in seeking insurance coverage, if indeed French law prohibits such coverage?

Two likely candidates would be:

California – Google’s headquarters

Delaware – Google LLC is a Delaware LLC

Even if the wording might be construed to provide a choice of jurisdiction, will carriers support such a choice in practice?

Why Willis Towers Watson?

More than half of all cyber incidents begin with employees, so it’s a people problem. And the average breach costs $4 million, so it’s a capital problem, too. No one decodes this complexity better than Willis Towers Watson. As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class cybersecurity solutions and radically improve your ability to successfully recover from future attacks.